I opted to remove Jellyfins default login form and require Keycloak for SSO, my Jellyfin instance is technically facing the internet but my reverse proxy has Fail2Ban in front of it blocking non-whitelisted IP’s, makes it easier to share with other people this way.